Multi-License Discount Quote

Change Region

English
Threat Database Adware Ads By Man

Ads By Man

By GoldSparrow in Adware

Threat Scorecard

Popularity Rank: 13,609
Threat Level: 20 % (Normal)
Infected Computers: 1,068
First Seen: May 26, 2015
Last Seen: May 23, 2026
OS(es) Affected: Windows

Aggressive adware is a relatively standard PC threat nowadays, mainly because there are countless of techniques that adware may use to deploy itself to your computer. One of the most commonly used techniques involved bundled software, and this is one of the main reasons why adware infections are so common today. Ads By Man is another new piece of adware that may trouble users who were unlucky enough to install this adware while installing useful, cost-free software. If you see advertisements, banners, and pop-ups that are accompanied by text saying "Ads By Man", you probably have adware installed on your computer.

While adware can't perform any harmful activities, its presence can be quite annoying as it may ruin your online experience by flooding your web browser with ads, pop-ups, banners, and other elements used in online advertising. Apart from this, Ads By Man may also drop a tracking cookie on your computer to collect data such as geographic location, IP address, frequented websites, search queries, etc. These actions should be considered unwanted, and the software responsible for them should be eliminated immediately. We recommend taking care of the "Ads By Man" issue by using a reputable and updated anti-malware security application.

Analysis Report

General information

Family Name: Adware.Dotdo
Signature status: No Signature

Known Samples

MD5: 0cb8a2e9cba6963606d2bc7a7c45cab0
SHA1: a95ca3ccc3e8dd886deaed0cc9175926a2d9588e
SHA256: CE13E5413BC2C71A1FAC4D6A4009C506311B6E2F330AF0CE57AA009142C3BF99
File Size: 176.65 KB, 176654 bytes
MD5: 3cefc1adc19ab614e59630a6a59b3bc1
SHA1: 812a1434d93f17899f3dcdb1dc6a9240785409ca
SHA256: 8E2A7861BF07EACEEE20D1ADD1FD98E86B6D738E671940B4D5A55AA35AA5C0B7
File Size: 37.23 KB, 37227 bytes
MD5: 48097253866e0867d8f5ed3e876ca8f8
SHA1: f75eb82176c862e924d79e65e85763e55283047c
SHA256: 59FA92AF53890E08837526359576B2002269803C9F39ED41B693A1167E48ACAA
File Size: 183.09 KB, 183095 bytes
MD5: 5180ae1386133493d85f3532d495f140
SHA1: 20cea369a825110c244bcf1157f855153c51d831
SHA256: E595D7FE57CD20F3DE277396F8AD7EECE1311B0D28CDDF22558CAFE7E7409D04
File Size: 176.60 KB, 176598 bytes
MD5: db7923e7ceec7426f4026298cc7fa26c
SHA1: e18996ef9203ff5d731f3458ca4d4918a2bb26ef
SHA256: 3F1E92B00A01629021F15989943D9627E79D53E77F8D95F16453D877BE5EE562
File Size: 185.34 KB, 185344 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have debug information
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File is .NET application
  • File is 32-bit executable
  • File is either console or GUI application
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
Show More
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name Value
Assembly Version 1.0.2.0
Comments network
Company Name windows
File Description network
File Version 1.0.2.0
Internal Name layered.exe
Legal Copyright 2015
Legal Trademarks trade
Original Filename layered.exe
Product Name network
Product Version 1.0.2.0

File Traits

  • .NET
  • Installer Manifest
  • nosig nsis
  • No Version Info
  • Nullsoft Installer
  • x86

Block Information

Total Blocks: 409
Potentially Malicious Blocks: 281
Whitelisted Blocks: 124
Unknown Blocks: 4

Visual Map

? ? x x x 0 0 x x x 0 x x x x x x x 0 x x x x 0 x x 0 x x x x x x x x x 0 0 x x x 0 0 x x 0 0 x 0 0 x 0 0 x x 0 0 x x 0 x 0 x x 0 x 0 x x x x 0 0 0 x 0 0 x 0 x x x x x 0 x 0 x 0 x 0 x 0 x 0 x 0 x x 0 0 0 0 0 x 0 x x x x x x x x x x x x x x x x x 0 x 0 x x 0 x x 0 x x x 0 0 0 x 0 x x x x x x x x x x x x x x x x 0 x 0 x 0 x x x x x x x x x x x x x x x x x x x x 0 x x 0 x x x x x 0 x 0 x x x x x x x x x x x x x x 0 0 0 0 x 0 0 0 x x x x 0 x 0 0 x x x x x x x x x x 0 x x x x x x x x x 0 x 0 x 0 x x x 0 x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x x 0 0 x x 0 0 0 x 0 x x x x x x 0 x x x x x x x x 0 ? ? x x x 0 0 0 0 x 0 x x 0 0 x 0 x 0 x x 0 x 0 x x x x 0 x x 0 0 x x 0 x 0 0 0 x x x 0 0 x x x 0 0 0 x x x 0 x x 0 x 0 x x 0 x x 0 x x x x x 0 0 0 x x 0 0 0 0 0 0 x 0 x 0 x x 0 x 0 x x x x 0 0 0 x 0
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File Attributes
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca6ad.tmp\simplefc.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nsca832.tmp\simplefc.dll Generic Write,Read Attributes
c:\windows\appcompat\programs\amcache.hve Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve Write Attributes
c:\windows\ujoko Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\windows\wagaukaz Generic Read,Write Data,Write Attributes,Write extended,Append data

Registry Modifications

Key::Value Data API Name
HKCU\software\microsoft\windows\currentversion\run::kiernan "c:\users\user\downloads\812a1434d93f17899f3dcdb1dc6a9240785409ca_0000037227" nzfdacwnzfdacwnzfdacwnzfdac.nzfdacbnzfdacinzfdacvn RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::grouping "C:\Program Files (x86)\Federal\Ovens.exe" nzfdacwnzfdacwnzfdacwnzfdac.nzfdacbnzfdacinzfdacvnzfdac.nzfdacpnzfdacwnzfdac/nzfdacpc RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data 隞̃缁耀꧌ RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
User Data Access
  • GetUserObjectInformation
Process Shell Execute
  • CreateProcess
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAdjustPrivilegesToken
  • ntdll.dll!NtAlpcConnectPortEx
  • ntdll.dll!NtAlpcCreateSecurityContext
  • ntdll.dll!NtAlpcDeleteSecurityContext
  • ntdll.dll!NtAlpcQueryInformation
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtAssociateWaitCompletionPacket
  • ntdll.dll!NtClearEvent
Show More
  • ntdll.dll!NtClose
  • ntdll.dll!NtCreateEvent
  • ntdll.dll!NtCreateIoCompletion
  • ntdll.dll!NtCreateKey
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtCreateSemaphore
  • ntdll.dll!NtCreateTimer2
  • ntdll.dll!NtCreateWaitCompletionPacket
  • ntdll.dll!NtCreateWorkerFactory
  • ntdll.dll!NtDelayExecution
  • ntdll.dll!NtDeleteValueKey
  • ntdll.dll!NtDeviceIoControlFile
  • ntdll.dll!NtDuplicateObject
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtEnumerateKey
  • ntdll.dll!NtEnumerateValueKey
  • ntdll.dll!NtFreeVirtualMemory
  • ntdll.dll!NtFsControlFile
  • ntdll.dll!NtLoadKeyEx
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtNotifyChangeKey
  • ntdll.dll!NtOpenDirectoryObject
  • ntdll.dll!NtOpenEvent
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcess
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenSymbolicLinkObject
  • ntdll.dll!NtOpenThread
  • ntdll.dll!NtOpenThreadToken
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDefaultLocale
  • ntdll.dll!NtQueryDirectoryFileEx
  • ntdll.dll!NtQueryInformationFile
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySecurityObject
  • ntdll.dll!NtQuerySymbolicLinkObject
  • ntdll.dll!NtQuerySystemInformation
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReadRequestData
  • ntdll.dll!NtReadVirtualMemory
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationKey
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSetTimer2
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtTraceEvent
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWorkerFactoryWorkerReady
  • ntdll.dll!NtWriteFile
  • UNKNOWN
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
Encryption Used
  • BCryptOpenAlgorithmProvider

Shell Command Execution

"C:\Users\Wuktrlqd\AppData\Local\Ovens.exe" nzfdacwnzfdacwnzfdacwnzfdac.nzfdacbnzfdacinzfdacvnzfdac.nzfdacpnzfdacwnzfdac/nzfdacpc2v0v2v0vnzfdac0vi3vi2pc3nzfdacpcvhtmlzaZnzfdacrTNkUXteoDnzfdac4wEOs2D
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 768

Trending

Most Viewed

Loading...